Could Third Party Apps Spell Trouble for Enterprises?

Research company CloudLock recently released a report demonstrating its findings regarding mobile computing as it relates to IT departments.

Traditionally, IT departments held complete control over software deplaoyed in the enterprise. More recently, employees tend to use third-party applications and according to CloudLock, that poses a major security threat for corporate environments and the often sensitive private information with which they work.

CloudLock’s report stated that the number of third-party apps affiliated with corporate settings has increased by over 30 fold in just two years; this year the apps number 150,000 whereas in 2014 they were more in the 5,500 range.

This astounding leap in quantity comes with a leap in risk. CloudLock found that over a quarter of the apps made for business settings were “high risk” apps that were likely to be attacked and abused by cybercriminals.

While many of those apps have slipped under the radar, CloudLock also found that a fair amount of companies have noticed the loose security of apps and banned many of them from workplaces due to security-related concerns.

As Ayse Kaya-Firat, director of customer insights and analytics at CloudLock explains, the major security problems stem from a particular subset of third-party apps:

“The apps that touch the corporate backbone are the riskiest of all shadow applications,” she explained. “When you want to use them, some of them ask you to authorize them to use your corporate credentials. When you do that you give those apps- and by extension their vendors- access to your corporate network.”

“I may enable an app’s access and two years later, I may not even remember I have the app on my phone, but the app continues to have programmatic access to all my data,” Kaya-Firat added.

This can be especially problematic because the only way for organizations to protect themselves from these kinds of vulnerabilities is to develop a high-level strategy to address them.

“They just can’t go over each application one-by-one, because of the growth rate. They need specific application-use policies. They need to decide how they will whitelist or ban applications,” said Kaya-Firat. “They need to share those decisions with their end uses… It can’t be a secret thing, because end users are taking action on these things on a day-to-day basis.”

To make matters worse, hackers know how to evade protection and keep a cloak of secrecy over their operations. They use a method called Operation Security, or Opsec, to make it harder for authorities to catch on to their harmful hacking techniques.

“The ones that have mature Opsec will not use anything that ties their personal life to the legend they’ve created,” explained Rick Holland, vice president of strategy at Digital Shadows. “They’ll use specialized operating systems designed to preserve anonymity… They’ll do their evil from public hotspots and spoof their MAC address so they can’t be traced from the logs for the hotspot,” Holland offered.

Still, authorities have been quick to catch on to hackers’ methods of obfuscation, forcing hackers to find new and more legitimate ways to preserve their security.

“Cybercriminals will need to adopt a ‘defense in depth’ strategy. It’s something they’ll need to do across their spectrum of people, process and technology,” he concluded.